Post on 14-Apr-2018
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 1/17
A Practitioner’s Approach
for ImplementingInformation Security Policy
David WilhiteIT Security Office
primary author of IS procedures
at University of South Carolina
Ask questions at any time.
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 2/17
2
About Our Environment
35,000 students
8 campuses
centralized / decentralized IT
8,000 faculty & staff
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 3/17
3
Establishing Governance
Authority + Requirements
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 4/17
4
Policy Framework
Policy – overall intent and direction• originates at trustee/executive level
• avoids specifics which may be subject to change
built from the top, downward
Standard – basis by which to measure policy• originates at data steward level
• high level detail, without implementation guidance
Guideline – implementation guidance
• authored/endorsed by subject matter experts• more details, but not specific to org. units
Procedure – implementation steps & provisions• authored/endorsed by organizational unit
• more details, specific to organizational unit
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 5/17
5
That’s too abstract! Give me an example!
Policy – overall intent and direction• originates at trustee/executive level
• avoids specifics which may be subject to change
Standard – basis by which to measure policy• originates at data steward level
• high level detail, without implementation guidance
Guideline – implementation guidance
• authored/endorsed by subject matter experts• more details, but not specific to org. units
Procedure – implementation steps & provisions• authored/endorsed by organizational unit
• more details, specific to organizational unit
State Constitution: “The legislature shall
establish laws to protect the safety of
the people.”
State Law: “No one shall operate a vehicle
at an unsafe speed. The Dept of
Transportation shall determine and
post maximum safe speed.”
Experts document criteria for
determining maximum safe drivingspeed.
DOT consults guidelines and prescribes
speed limits.
public safety
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 6/17
6
Dual Authority and Enforcement
Board
and Executives
Policies
Data Trustees &
Stewards
Standards
University Info
Security Office
Procedures
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 7/17
7
Checks & Balances
Board
and Executives
Policies
Data Trustees &
Stewards
Executive
Advisory Comm.
Standards
University Info
Security Office
Procedures
Functional
Advisory Comm.
Auditor
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 8/17
8
Strategy to Complete Policy Framework
Policies
Standards
Guidelines
Procedures
Establish Policy.
Requires executive backing.
Create Data Access Requirements documents.
Identify protected data elements (per Data Steward).
Create Data Security Requirements document.
Based on industry standards (ISO 27002, PCI DSS)
Create Information Security Program documents.
High level guidelines and procedures.
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 9/17
9
Policies
Browse other institutions’ policy documents, and plagiarize shamelessly.
Adapt to your environment.
See who will endorse it.
Never waste a good crisis. But if you do, just keep looking; they’re not
hard to find.
http://www.sc.edu/policies/univ150.pdf – Data Access / Stewards
http://www.sc.edu/policies/it300.pdf – Information Security
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 10/17
10
Data Access Requirements (Standards)
Data Stewards create
Data Access Requirements
documents.
Data Stewards endorse
Data Security
Requirements document
(drafted by IS Office).
Data Access Requirements – Registrar
Authoritative Datasets“General Student” table
“Grades” table
Sensitive Data TypesSocial Security Number (Restricted) – whether full or partial, must be
treated as Restricted Data.Academic Scores (Restricted)
Disciplinary Information (Restricted) – All information related to academic
probation or other disciplinary actions must be treated as Restricted.
Directory Data (Limited/General Access) – Several data types are classified
below as Directory Data. For students who have requested this data to
be unlisted, it must be treated as Limited Access. For other students, this
data is General Access. Where unlisted status is not known, treat as
Limited Access.
Phone Number (Limited/General Access) – see Directory Data above.Email Address (Limited/General Access) – see Directory Data above.
Authoritative Datasets listed above may only be accessed under the terms and
conditions outlined in the Data Security Requirements document, posted here:
[URL]
All Sensitive Data Types listed above, regardless of source, must be used only as
specified in the Data Security Requirements document, posted here: [URL]
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 11/17
11
Data Security Requirements (Standards)
http://uts.sc.edu/itsecurity/docs/USC-DSR-Checklist-Restricted.pdf
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 12/17
12
Guidelines and Procedures
UISO 901.3.1 Media Security Procedure
Purging/Destruction Process
• Rewritable media, whether fixed or removable, must be
sanitized by using software or be physically destroyed in
such a way that data is irretrievable. The software that is
chosen should overwrite the entire contents of the media
at least one time, which is sufficient for most data being
stored. However, for data from some sources, thosesources may require more stringent processes (e.g.
Department of Defense research data). In such cases,
follow their more restrictive guidelines. See Appendix A
for suggested erasure software to use.
OU Procedure 901.3.1-A may establish
greater detail for this process.
UTS 901.3.1-A Rewritable Media PurgingPurging Process
• PC Intel platforms: Use “DBAN” software configured to
write a single pass of random data.
• Mac Intel platforms: Use method described in Apple
support article https://support.apple.com/kb/HT1820
CSE 901.3.1-A Rewritable Media Purging
Purging Process
• Use “DBAN” software configured to use “DoD Short”
method.
Security Office creates a University-level Procedure, aspart of the Information Security Program, calling on OUs
to fill in details.
One department may specify the details one way.
Other departments may choose other details.
Information Security Program
http://uts.sc.edu/itsecurity/program
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 13/17
13
Eating the Elephant – All at Once?
• Risk: Frustrating staff.
• Risk: Clandestine noncompliance.
• Risk: Additional legal liability.
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 14/17
14
Eating the Elephant – In Byte-Sized Pieces
Assess your current achievable level of compliance.
Set the bar there (with deadline).
Bring into compliance.
Raise the bar (with deadline).
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 15/17
15
Data Security Requirements (Standards)
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 16/17
16
Updates and Protests
Board
and Executives
Policies
Data Trustees &
Stewards
Executive
Advisory Comm.
Standards
University Info
Security Office
Procedures
Functional
Advisory Comm.
7/29/2019 A Practitioner's Approach for Developing Information Security Policy (166245888)
http://slidepdf.com/reader/full/a-practitioners-approach-for-developing-information-security-policy-166245888 17/17
Establishing a Policy Framework
for Information Security
Questions?